March 5, 2026 By Zeljka Zorz
A newly discovered vulnerability (CVE-2026-28289) in the open-source help desk platform FreeScout could allow attackers to take over vulnerable servers by sending a specially crafted email to a FreeScout mailbox.
CVE-2026-28289 exploitation
FreeScout is a free, open-source help desk and shared inbox system used by businesses or teams to manage customer support conversations in one place.
It is built with PHP (Laravel) and MySQL, and it’s designed to be self-hosted – either on-premises, on a cloud server, or a virtual private server.
CVE-2026-28289 is a bypass of the patch for CVE-2026-27636, which was fixed in FreeScout v1.8.206 and stemmed from its file upload restriction list not including .htaccess or .user.ini files.
(.htaccess files are configuration file used on Apache-based web servers to manage website behavior on a per-directory basis, and .user.ini files allow users to change the configuration of PHP on a per-app and per-directory basis.)
“On Apache servers with AllowOverride All (a common configuration), an authenticated user can upload a .htaccess file to redefine how files are processed, enabling Remote Code Execution,” it’s been explained.
OX Security researchers found that the fix for CVE-2026-27636 attempts to prevent dangerous file uploads by appending an underscore to the file extension when a filename either uses a restricted extension or begins with a period (‘.’).
“During code review, we found a way to bypass this filename validation by prepending a Zero-Width Space character (Unicode U+200B) to the filename,” they shared.